The Hong Kong Securities and Futures Commission (SFC) has tightened security regulations for virtual asset trading platforms and online brokerages, aiming to strengthen defenses against phishing attacks. This shift prohibits SMS, email, and app-based one-time passwords as authentication methods and provides industry players with a 12-month deadline to meet these newly reinforced security protocols.
What are the updated security priorities?
The SFC now emphasizes the use of passkeys, cryptographically registered devices, and hardware security keys, which are considered more robust against phishing. These measures aim to minimize security breaches that are exacerbated by sole reliance on passwords and one-time codes, reflecting the SFC’s commitment to bolstering account security for virtual asset users.
As the regulator in charge of one of the world’s major financial markets, the SFC’s actions set a precedent for cybersecurity expectations—particularly as online fraud and cyber scams continue to advance.
Dr. Ye Zhiheng, Executive Director of the Intermediaries Division at the China Securities Regulatory Commission, highlighted the importance of combining prevention, detection, response, and education to effectively guard against evolving scams and fraudulent activities.
Are cyberattacks becoming more frequent?
Yes, cyberattacks have indeed been on the rise. In early 2026, the global cryptocurrency sector reported $306 million in losses due to phishing and social engineering attacks, representing a significant portion of the $482 million total losses for the quarter. The Hong Kong Cyber Security Incident Coordination Center noted that scams and fraud accounted for over half of security reports in 2025.
Several notable incidents have further driven regulatory attention. Recently, an investor on the Ethereum network was defrauded of around $1 million from a malicious token operation. In the initial months of 2026 alone, global losses linked to phishing scams soared to $366 million.
- The financial impact of cyberattacks is substantial, escalating the need for regulatory interventions.
- The incidents highlight the necessity of adopting advanced security devices and cryptographic methods to protect user accounts.
- Preventive measures and continual monitoring are essential to counteract prevalent security threats.
Wallet security remains a critical concern, as seen with a wallet owner losing $1.65 million through a fraudulent exchange. Calls for stricter security have been echoed by industry leaders such as Binance co-founder Changpeng Zhao and others. A notable case in 2024 saw a substantial $71 million loss to an address poisoning scam, although the funds were later returned, hinting at a possible breakthrough in offender tracking and cybercrime interventions.



